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Name: Chris Patten 
Job: Security Consultant 
Interests: Tech/Breaking $%&! 
Twitter: (Spacketassailant 
Email: cpatten@packetresearch.com 
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■ OWASP, Black Hat, 6Labs, WSJ 
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B SECURITY 

Service Discovery...It Works... 

■ When service scans are necessary 

■ Vulnerability Assessments 

■ Penetration Tests 

■ Network Troubleshooting 

■ Numerous Tools Available 

■ Fyodor's Nmap 

■ Kaminsky's Scanrand 

■ JackC. Louis' Unicornscan 
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■ SECURITY 


With a stateful firewall architecture. 


Securely Enabling Business 
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■ SECURITY 


Most of the time... 


Securely Enabling Business 


SYN Scans typically return open ports 


cps-NacBook-Pno:cp$ sudo nmap -sS -p 80,22,3306,130-140 192.168.1.13 

Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-10 16:48 EOT 
Nmap scan report for 192.168.1.13 
Host is up (0.0038s latency). 

PORT STRTE SERVICE 

22/tcp open ssh 

80/tcp open http 

130/tcp closed cisco-fna 
131/tcp closed unknown 
132/tcp closed cisco-sys 
133/tcp closed statsrv 
134/tcp closed unknown 
135/tcp closed msrpc 
136/tcp closed profile 
137/tcp closed netbios-ns 
138/tcp closed netbios-dgm 
139/tcp closed netbios-ssn 
140/tcp closed unknown ^ 

3306/tcp open mysql 

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds 
cps-NacBook-Pro:cp$ [] 
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Sometimes... 

■ What about SYN Flood Protection 

■ BSD PF Synproxy State 

■ Netfilter/IPTables DELUDE Target 

■ F5 SYN Check 

■ Juniper's SYN-Protector 

■ Cisco's TCP Intercept 

■ Difficult to identify relevant services 

■ Creates two sessions 

■ Acts as a broker to bridge sessions 

■ Incomplete SYN scan transaction 
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Again, but with SYN Flood enabled... 



Scanner Stateful FW 

W/ SYN Flood Protection 
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And then again, sometimes not... 

SYN Flood protection returns all 


root@ubuntu:~; 

It nnap 10.0.1.10 

Starting Nnap 

5.21 ( http://nnap.org ) at 2012-07-13 11:16 PDT 

root@ubuntu:~; 

It nnap 10.0.1.10 -p 1-100 

Starting Nnap 

5.21 ( http://nnap.org ) at 2012-07-13 11:16 PDT 

Nnap scan report for 10.0.1.10 

Host Is 

up (0 

.00032s latency). 

PORT 

STATE 

SERVICE 

1/tcp 

open 

tcpnux 

2/tcp 

open 

conpressnet 

3/tcp 

open 

conpressnet 

4/tcp 

open 

unknown 

5/tcp 

open 

unknown 

6/tcp 

open 

unknown 

7/tcp 

open 

echo 

8/tcp 

open 

unknown 

9/tcp 

open 

discard 

10/tcp 

open 

unknown 

11/tcp 

open 

systat 

12/tcp 

open 

unknown 

13/tcp 

open 

daytime 

14/tcp 

open 

unknown 

15/tcp 

open 

netstat 

16/tcp 

open 

unknown 

17/tcp 

open 

qotd 

18/tcp 

open 

unknown 

19/tcp 

open 

chargen 

20/tcp 

open 

ftp-data 

21/tcp 

open 

ftp 

22/tcp 

open 

r>r>or> _ 

ssh 

■hoi r>of~ _ 
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Securely Enabling Business 


open 
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■ SECURITY 


Misconceptions of the truth?... 

■ People say crazy @#%$! 

■ Increase the packet delay 

■ Perform a Connect Scan 

■ Use a different scan (ACK, FIN) 

■ Use version detection and grep 

■ Why this is often just crazy @#%$! 

■ FW not allowing connections without state through 

■ Connect Scan checks for 3-way handshake 
completion... not useful! 

■ Version detection when every port is flagged as 
open is... slow! 


Securely Enabling Business 
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■ SECURITY 


What is SYN Flood Protection?... 


Securely Enabling Business 


A proxy completing 3-way handshake 
A method to broker SYN connections 
Prevention of resource exhaustion 
Prevention from Spoofed Source IPs 

■ SYN Cookies 

■ Adjustable Queue Size 

But we just need a legitimate response 
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■ SECURITY 


A better way to address the problem 
Introducing Mook Scanner 

■ C/C++ using libpcap 

■ Two types of scans available 

■ MSS Option Scanning 

■ Connect Response Scanning 

■ Confidence scoring 


Securely Enabling Business 
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■ SECURITY 



MSS Option Scanning 

■ Essentially a SYN Scan 

■ Dependent on FW Configuration 

■ Detect if Host or FW is replying in SYN, ACK response 

■ Typically FW will set a different MSS Value than the 
Host 

■ Ported to Nmap, works kind of... a patch may be 
available;) 

Process: 

1. Send SYN with no MSS Option Set 

2. If SYN,ACK MSS Option size is same as user 
defined size then mark port as open and raise 
confidence by 1 
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B SECURITY 

Connect Response Scanning 

■ Kind of like Nmap connect scan _ 

■ Works with all implementations of SYN Flood 
Protections 

■ Not sure if it can be ported to Nmap without huge 
overhaul. 

Process: 

1. ConnectO to complete 3-way handshake 

2. CloseO socket 

3. Listen for ACK; PSH,ACK; or FIN,ACK 

4. For each response raise confidence by 1 
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Tempting the Demo Gods... 

■ Time to see Mook in action! 
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■ SECURITY 


Come and get some... 


Securely Enabling Business 


Huptwo34.com: http://huptwo34.com/mook/mook.html 
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Questions?... 

Thank you! 
Comments Welcome! 
Got Skills...Lets talk! 
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